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Remarks 

Claims 1-10 and 12-24 are pending. 

Response to Arguments 
1 . Applicant's arguments filed 12/14/2006 have been fully considered but they are 
not persuasive. 

Applicant argues that there is no motivation to combine Subramaniam with 
Steiner and that there is no need to incorporate the Kerberos authentication service 
taught in Steiner into the intranet access system of Subramaniam. As seen in Figure 2 
and related portions of the specification, Subramaniam creates a secure connection 
between the border server and external client. Using this secure connection, the user is 
authenticated by any of various forms (examples of which are shown in Column 12, 
lines 39-46). By implementing Kerberos authentication during this step (126 of figure 2), 
the benefits of Kerberos are obtained, as described in Steiner. Some of the obtained 
benefits are that Kerberos is an authentication scheme that is reliable, transparent, 
scalable, and difficult to circumvent. Additionally, the dual protection scheme of 
authenticating via Kerberos using a secure connection means that the information 
passed during authentication is encapsulated within such secure connection, thereby 
providing further protection for Kerberos authentication exchanges. 

Applicant also argues that the privilege server (element 140 of figure 1) of 
Subramaniam is only used for validating and rejecting authentication of a user and that 
the privilege server of Subramaniam does not have a policy engine therein. In response 
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to applicant's arguments against the references individually, one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413. 208 USPQ 871 (CCPA 
1981); In re Merck & Co,, 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 12-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Subramaniam (U.S. Patent 6,081,900) in view of Steiner (Steiner et a!., "Kerberos: An 

Authentication Service for Open Network Systems", 3/30/1988, pp. 1-15). 

Regarding Claim 12, 

Subramaniam discloses a method for accessing a service by a user 

comprising: 

A privilege server (Figure 1, numeral 140; and Column 8, line 47 to 
Column 9, line 10); 

A web adapter interposed between a client and the privilege server, 
as well as a service server (Figure 1, numeral 112; and Column 6, lines 
25-38); and 

Choosing a service in a service server (Column 6, lines 40-45); 
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But does not explicitly disclose presenting a user ticket and 
sequence number to a service, sending a session name encrypted with 
the ticket and a user identification to a privilege server and requesting a 
session key and sequence number, receiving the session name from the 
user, validating the user ticket and a user privilege, when the user is 
validated, issuing the session key and sequence number for the ticket, 
encrypting the session key and sequence number with the ticket to form a 
packet, and sending the packet and ticket to the service. 

Steiner, however, discloses presenting a user ticket and sequence 
number to a service (Pages 5-7, Sections 4.0, 4.3, and 4.4); 

Choosing a service in a service server (Pages 5-7, Sections 4.0, 
4.3, and 4.4); 

Sending a session name encrypted with the ticket and a user 
identification to a privilege server and requesting a session key and 
sequence number (Pages 6-7, Sections 4.3 and 4.4); 

Receiving the session name from the user (Pages 6-7, Sections 4.3 
and 4.4); 

Validating the user ticket and a user privilege (Pages 6-7, Sections 
4.3 and 4.4); 

When the user is validated, issuing the session key and sequence 
number for the ticket (Pages 6-7, Sections 4.3 and 4.4); 
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Encrypting the session key and sequence number with the ticket to 
form a packet (Pages 6-7, Sections 4.3 and 4.4); and 

Sending the packet and ticket to the service (Pages 6-7, Sections 
4.3 and 4.4). It would have been obvious to one of ordinary skill in the art 
at the time of applicant's invention to incorporate the authentication 
service of Steiner into the intranet access system of Subramaniam in 
order to provide an authentication scheme that is difficult to circumvent, 
reliable, transparent, and scalable (Pages 2-3, Section 1). 
Regarding Claim 13, 

Subramaniam discloses a system for authenticating a user having a 
user proxy for generating user information comprising: 

A web adapter coupled to the user proxy for receiving user 
information (Figure 1, numeral 112; and Column 6, lines 25-38); 

A service server coupled to the web adapter (Figure 1 , numeral 

104); 

An intermediate server coupled to the web adapter for receiving the 
user information (Figure 1, numeral 106); and 

A privilege server coupled to the intermediate server (Figure 1 , 
numeral 140; and Column 8, line 47 to Column 9, line 10); 

But does not explicitly disclose the privilege server receiving the 
user information and validating the user in response to the user 
information, the privilege server generating a ticket, the user proxy 



Application/Control Number: 10/022,578 Page 6 

Art Unit: 2137 

receiving the ticket, generating a token and communicating the token to 
the privilege server, the privilege server generating a packet having a 
sequence number and a session key in response to the token and 
coupling the ticket and the sequence number to a service server through 
the web adapter, and the service server validating the user and granting 
user privileges in response to the ticket and the session key. 

Steiner, however, discloses the privilege server receiving the user 
information and validating the user in response to the user information, the 
privilege server generating a ticket (Page 6, Section 4.2); 

The user proxy receiving the ticket (Page 6, Section 4.2), 
generating a token and communicating the token to the privilege server 
(Page 7, Section 4.4); 

The privilege server generating a packet having a sequence 
number and a session key in response to the token and coupling the ticket 
and the sequence number to a service server through the web adapter 
(Pages 6-7, Sections 4.3 and 4.4); and 

The service server validating the user and granting user privileges 
in response to the ticket and the session key (Pages 6-7. Section 4.3). It 
would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to incorporate the authentication service of Steiner 
into the intranet access system of Subramaniam in order to provide an 
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authentication scheme that is difficult to circumvent, reliable, transparent, 
and scalable (Pages 2-3, Section 1). 
Regarding Claim 14, 

Subramaniam as modified by Steiner discloses the system of claim 
13, in addition, Subramaniam discloses that the intermediate server 
comprises a head end server (Figure 1, numeral 106). 
Regarding Claim 15, 

. Subramaniam as modified by Steiner discloses the system of claim 
13, in addition, Steiner discloses that the user information comprises a 
user identification number (Pages 13-14). 
Regarding Claim 16, 

Subramaniam as modified by Steiner discloses the system of claim 
13, in addition, Steiner discloses that the privilege server has a policy 
engine therein (Pages 5-7, Section 4). 
Regarding Claim 17, 

Subramaniam as modified by Steiner discloses the system of claim 
16, in addition, Steiner discloses that the privilege server comprises a key 
generator coupled to the policy engine (Pages 5-7, Section 4). 
Regarding Claim 18, 

Subramaniam as modified by Steiner discloses the system of claim 
16, in addition, Subramaniam discloses that the privilege server comprises 
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a proxy coordinator coupled to the policy engine (Column 8. line 47 to 
Column 9, line 10). 
Regarding Claim 19. 

Subramaniam as modified by Steiner discloses the system of claim 
16. in addition. Steiner discloses that the privilege server comprises an 
obfuscator/deobfuscator coupled to the policy engine (Pages 5-7, Section 

4) . 

Regarding Claim 20, 

Subramaniam as modified by Steiner discloses the system of claim 
16, in addition, Steiner discloses that the privilege server comprises a 
store keeper coupled to the policy engine (Pages 5-9, Sections 4 and 5). 
Regarding Claim 21. 

Subramaniam as modified by Steiner discloses the system of claim 
20, in addition, Steiner discloses that the store keeper comprises a user 
information list and a session information list (Pages 5-9. Sections 4 and 

5) . 

Regarding Claim 22, 

Subramaniam as modified by Steiner discloses the system of claim 
20, in addition, Steiner discloses that the service server validating the user 
and granting the user privileges in response to the ticket, session key. and 
sequence number (Pages 6-7, Section 4.3). 

Regarding Claim 23. 
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Subramaniam discloses a method of authenticating a user having a 
user proxy for a network system having a privilege server, a head end 
server and a web adapter, the method comprising: 

Determining an authentication scheme at the privilege server 
(Column 8, line 47 to Column 9, line 10); and 

Validating the user at the privilege server in response to user 
information in accordance with the authentication scheme (Column 8, line 
47 to Column 9, line 10); 

But does not explicitly disclose when the user is validated, 
generating a ticket for the user at the privilege server, encrypting the ticket 
with a user password to form an encrypted ticket, validating the user in 
response to a service access request token formed from the ticket and a 
user identification, and forming a packet having a sequence number and 
session key encrypted with the ticket at the privilege server to authenticate 
the user. 

Steiner, however, discloses validating the user at the privilege 
server in response to user information in accordance with the 
authentication scheme (Page 6. Section 4.2); 

When the user is validated, generating a ticket for the user at the 
privilege server (Page 6, Section 4.2); 

Encrypting the ticket with a user password to form an encrypted 
ticket (Page 6. Section 4.2); 
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Validating the user in response to a service access request token 
formed from the ticket and a user identification (Page 7, Section 4.4); and 

Forming a packet having a sequence number and session key 
encrypted with the ticket at the privilege server to authenticate the user 
(Page 7, Section 4.4). It would have been obvious to one of ordinary skill 
in the art at the time of applicant's invention to incorporate the 
authentication service of Stelner into the intranet access system of 
Subramaniam in order to provide an authentication scheme that is difficult 
to circumvent, reliable, transparent, and scalable (Pages 2-3, Section 1). 

Allowable Subject Matter 

3. Claims 1-10 and 24 are allowed. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jeffrey D. Popham whose telephone number is (571)- 

272- 7215. The examiner can normally be reached on M-F 9:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571)272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1 000. 

Jeffrey D Popham 

Examiner 
Art Unit 2137 



